On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: > But IPA is more complex and some operations will be performed directly > against the specific server name, so you need to keep 2 sets of keys > (one for the server name and one for the load balancer name), but that > does not work right now.
One experiment that can be done is to remove all "per-server" HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project